Cloud security, ransomware, and poor incident responses have all shaped security discussions in 2017. Another interesting year in security has gone by and although it is difficult to only pick a couple of highlights, we have put together a list of 7 security news that defined 2017.
The WannaCry ransomware attack infected thousands of computers running Microsoft Windows in over 150 countries. The NHS, Deutsche Bahn, and FedEx were among the organisations affected by the attack. Wannacry propagates using EternalBlue, an SMB exploit from the NSA hacking toolkit that had been leaked by Shadow Brokers in April 2017. This was not the only attack taking advantage of EternalBlue – about a month after WannaCry, a variant of Petya ransomware (also known as NotPetya) hit Ukraine using the same exploit. Ransomware attacks have become increasingly common in 2017 as ransomware has become a lucrative business for cybercriminals.
In October, researchers disclosed a vulnerability that could potentially affect anyone with an HTTPS certificate. ROCA, a weakness in a software library used in cryptography hardware made by Infineon Technologies AG, allows an attacker to recover a valid private key. Because the hardware is widely used to generate everything from HTTPS certificates and PGP keys to smart cards, ROCA had a considerable scope.
3. Dirty COW… again
The Dirty COW exploit was big news in 2016, but the story did not end there. This year, a new malware called ZNIU emerged. ZNIU spreads via infected apps, exploiting the Dirty COW vulnerability to gain root access to Android devices. To top it all off, the Dirty COW patch that was released last year turned out to be flawed, making it possible for an attacker to exploit a race condition and gain write-access to read-only memory. The vulnerability put several Linux distributions at risk, but had a considerably smaller scope than last year’s Dirty COW exploit as it does not affect Android. The moral of the story? Using unpatched software is risky, patches can be vulnerable and security flaws can make an unexpected comeback.
4. S3 bucket misconfigurations
Misconfigured AWS S3 buckets were this summer’s security hot topic. Companies like Dow Jones, ABC, Time Warner and Verizon made the headlines after unintentionally exposing their buckets. We wrote about S3 bucket misconfigurations and did research on how they can be exploited. Since then, Amazon has added new security features and worked to inform AWS users about the risks associated with bucket misconfigurations. Although AWS was in the spotlight this year, cloud misconfigurations in general are not uncommon as cloud security is still a relatively new frontier.
If there is one security incident that sticks out in terms of scope and publicity this year, it’s the Equifax breach. Personal data belonging to millions of people was exposed, and one of the elements leading to the breach was a vulnerability in Apache Struts (CVE-2017-5638). As a patch for the flaw had been released two months before Equifax was breached, the company’s security routines were called into question. To make things worse, Equifax did not notify the public of the data exposure straightaway, and proceeded to send affected customers to a fake campaign website.
Equifax was not the only company dealing with security issues in a less than optimal way. In autumn 2017, news broke that Uber had paid a hacker $100,000 to conceal a serious security breach that took place in 2016. Uber issued a statement and confirmed that two security officials involved in the incident had resigned, but it remains to be seen how – and if – the company regains consumers’ trust.
7. Google Chrome implemented the “Not Secure” warning
2017 was not all about ransomware, misconfigurations, and companies not taking responsibility for their security shortcomings, it was also a year of increased security awareness. In January, Google Chrome rolled out the “Not secure” warning that flags websites that do not use https and contain login forms or credit card input fields, while Mozilla announced a similar warning would be implemented in Firefox. The warnings do not only help website visitors become more aware of security risks, they also guide developers as they make their own websites more secure. Hurray for a safer internet!
What’s 2018 going to bring?
What can we expect in security news in the coming year? With the increasing popularity of cryptocurrency, we will probably see a growing number of leaking wallets. We might also encounter more NSA leaks similar to those published by Shadow Brokers, followed by sophisticated exploits based on the leaked hacking tools.
As gadgets like Amazon Echo enter consumers’ homes, it would not be surprising to see attacks targeting smart home devices. Same as last year, we believe the trend of exploits with catchy names will continue. 2017 definitely lived up to this prediction with names like KRACK, WannaCRY, CloudBleed, and EternalBlue. This year, we didn’t see any major DDoS attacks like the DYN attack of 2016, but unfortunately, this does not mean DDoS is not a threat anymore.
But don’t worry, things are moving in the right direction! Developers and internet users are becoming more aware of security issues and potential threats. As governments implement measures like the GDPR to protect private data, we hope that organisations look at this year’s cautionary tales and begin to secure their websites. After Equifax, Uber, Yahoo, and many more, dealing with security breaches in a timely and transparent manner is more important than ever before. Let’s make 2018 the year of awesome security!